Digital Forensics

ICT3052
APIC’s Copyright Warning Notice

WARNING
This material has been reproduced and communicated to you by or on behalf of Asia Pacific
International College in accordance with section 113P of the Copyright Act 1968 (Act).
The material in this communication may be subject to copyright under the Act. Any further
reproduction or communication of this material by you may be the subject of copyright
protection under the Act.
Do not remove this notice.
Module 1: Introduction to
Forensic
Investigation
Module 1 By the end of today’s lecture, you will be able to:
• describe digital forensics
learning • understand how to prepare computer investigations and
summarise the difference between public-sector and private-
objectives sector investigations
• explain the importance of maintaining professional conduct
• explain the procedure for digital forensics investigation using
systematic approach
• identify the steps for private-sector digital investigations
• understand requirements and the software used for data
recovery workstations
• summarise how to investigate and critiquing a case.
Digital Forensics

Investigating digital devices includes:

• Collecting data securely
• Examining the suspect data to check and verify details such as origin and content
• Presenting digital information to courts
• Applying laws to digital device practices
Digital forensics Vs data recovery
• Which involves retrieving information that was deleted by mistake or lost during a power
surge or server crash
Forensics investigators often work as part of a team, known as the investigation's triad.
Digital Forensics and Other Related
Disciplines

• Vulnerability/threat management and risk management

• Test and verifying the integrity of stand-alone workstations and network servers
• Network intrusion detection and incident response
• Detects intruder attacks by using automated tools and monitoring network
firewall logs
• Digital investigations
• Manages investigations and conducts forensics analysis of systems suspected of
containing evidence
The application of IT techniques and investigative
procedures for legal purposes involving the
analysis of digital evidence after proper search
authority, chain of custody, validation with
mathematics, use of validated tools, repeatability,
Digital Forensics
reporting, and possible expert presentation. definition
So, you should ask yourself a question, what can
digital evidence be?

7
Digital Forensics – NIST
definition
• The application of computer science and
investigative procedures involving the examination
of digital evidence - following proper search
authority, chain of custody, validation with
mathematics, use of validated tools, repeatability,
reporting, and possibly expert testimony.

• The application of science to the identification,

collection, examination, and analysis, of data while
preserving the integrity of the information and
maintaining a strict chain of custody for the data.
• Digital Forensics is more than just data recovery

8
What you need to be a successful digital forensics practitioner?

One needs a combination of the followings:

• Immense knowledge about computers & technology (contemporary and legacy)

• Passion and investigative nature
• Professional conduct
• Common-sense
• Ability to think outside the box
• Ability to solve problems where no obvious solutions exist
• Attention to details
• Persistence

9
Digital Forensics Versus Other Disciplines

Some very closely related

disciplines / technologies to DF

• ICT technologies
• Smart device architectures
• IT Networks understanding
• Cloud computing and its
working
• Law of the land and legal
requirements

10
 Maintaining Professional Conduct
Professional conduct - includes ethics,
morals, and standards of behavior
An investigator must exhibit the highest
level of professional behavior at all times
Maintain objectivity
Maintain credibility by maintaining confidentiality
Training to update skills – Investigators
should also attend trainings &
certifications to stay current with the
latest technical changes in computer
hardware and software, networking, and
forensic tools
11
Digital Forensics Ken Zatyko, Digital Forensics can be explained with following
eight steps:
General Steps • Search authority (search warrant or an authorisation
letter (in case of corporate investigations))
• Chain of custody
• Imaging / hashing function
• Validated tools
• Analysis
• Repeatability (Quality Assurance)
• Reporting
• Possible expert presentation

12
Developing Digital Forensics
Resources
• You must know more than one computing platform
Example: DOS, Windows 9x, Linux, Macintosh, and current
Windows platforms
• You must also be familiar with the new technologies e.g.
smart devices, drones, cloud, social media etc
• Join as many computer user groups as you can
• Australian Information Security Association
(AISA) (https://www.aisa.org.au/ )
• Forensics Focus (forensicfocus.com)
• Magnet Forensics (magnetforensics.com) – Look for
their whitepapers under resources
• High Tech Crime Group (https://htcia.org/ )

13
Developing Digital • Exchanges information about techniques related to
computer investigation and security
Forensics Resources • User groups can be helpful
• Build a network of computer forensics experts and
other professionals
• And keep in touch through emails / OSNs

• Get professional certifications such as CISSP, CHFI, EnCE,

ACE, GIAC, (ISC)2 etc

14
Developing Digital Forensics Resources

To supplement your knowledge:

• Try to connect as many network and security professionals as possible and
maintain a good relationship.
• Join computer groups in pubic and private sectors
• Example: Computer Technology Investigators Network (CTIN) meets
to discuss problems with digital forensics examiners encounter
• Consult outside experts
Preparing for Digital Investigations

Digital investigations fall into two

categories:
• Public-sector investigations
• Private-sector investigations
Preparing for Digital Investigations

• Investigations in public-sector involve government agencies responsible for

criminal investigations and prosecution
• Fourth Amendment to the U.S. Constitution
• Restrict government search and seizure
• The Department of Justice (DOJ) contains information on computer search and
seizure, and they update it regularly
• Private-sector investigations focus more on policy violations
Following Legal Processes

• A criminal investigation usually begins when someone finds evidence of or witnesses a crime
• Witness or victim makes an allegation to the police
• Police investigate the complainant and writes a report about the crime
• Report is then processed, and management decides when to start an investigation or log the information in a police blotter
• Digital Evidence First Responder (DEFR)
• Arrives on an incident scene, assesses the situation, and takes precautions to acquire and preserve evidence
• Digital Evidence Specialist (DES)
• Has the skill to analyze the data and determine when another specialist should be called in to assist
• Affidavit - a sworn statement of support of facts about or evidence of a crime
• Must include exhibits that support the allegation
Understanding Private-Sector Investigations

• Private-sector investigations involve private companies and lawyers who address company policy violations
and litigation disputes
• Example: wrongful termination
• Private companies strive to minimize or eliminate litigation
• Private-sector crimes can involve:
• E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and
industrial espionage
• Businesses can reduce the risk of litigation by publishing and maintaining policies that employees find easy to
read and follow
• Most important policies define rules for using the company’s computers and network which is known as an
“Acceptable use policy”
Understanding Private-Sector
Investigations

• Line of authority – tells who has the

legal right for initiating an investigation,
who can have possession of evidence,
and who can take access to evidence
• Business can avoid litigation by
displaying a warning banner on
monitors.
• Informs end users that the
organization reserves the right to
inspect systems and network traffic
at their will
Understanding Private-Sector Investigations

• Businesses are advised to specify an authorized requester who has the right to initiate investigations
• Examples of groups with authority
• Corporate security investigations
• Corporate ethics office
• During private investigations, you commonly search for evidence to support allegations of violations of a company’s rules or
an attack on its assets
• Three types of situations are common:
• Abuse or misuse of computing assets
• E-mail abuse
• Internet abuse
• A private-sector investigator’s job is to minimize risk to the company
Understanding Private-Sector Investigations

• The difference between personal and company system can be difficult with
cell phones, smartphones, personal notebooks, and tablet computers
• Bring your own device (BYOD) environment
• Some companies informs the employees that if you connect a personal
device to the business network, it falls under the same rules as company
property
Preparing a Digital Forensics Investigation

• The role of digital forensics professional is to gather evidence to prove that a

suspect committed a crime or violated a company policy
• Collect evidence that can be offered in court or at a corporate inquiry
• Investigate the suspect’s computer
• Preserve the evidence on a different computer
• Chain of custody
An Overview of a Computer Crime

• Computer systems can contain information which can help law enforcement
determine:
• Chain of events leading to a crime
• Evidence that can lead to a conviction
• Law enforcement officers should follow proper procedure when acquiring the
evidence
• Digital evidence can be altered effortlessly by an overeager investigator
• A potential challenge: data on hard disk drives might be password protected
and use of forensics tools may be necessary for the investigation
An Overview of a Company Policy Violation

• Employees misusing resources can cost companies millions of dollars

• Misuse includes:
• Surfing the Internet
• Sending personal e-mails
• Using company computers for personal tasks
 Steps for problem solving
• Initial assessment about the type of case you
are investigating
Taking a • Determine a preliminary design or approach to
the case

Systematic • Create a detailed checklist

• Identify the resources you need

Approach • Obtain and make a copy of the evidence drive

• Identify the risks
• Mitigate or minimize the risks
• Test the design
• Analyze and recover the digital evidence
• Investigate the data you recover
• Complete the case report
• Critique the case
Assessing the Case

Systematically outline the case details

• Situation
• Nature of the case
• Specifics of the case
• Type of evidence
• Known disk format
• Location of evidence
Based on these details, you can determine the case requirements
 A basic investigation plan should include the
following activities:
• Acquire the evidence
Planning Your • Complete an evidence form and establish a
chain of custody
Investigation • Transport the evidence to a computer
forensics lab
• Secure evidence in an approved secure
container
• Prepare your forensics workstation
• Retrieve the evidence from the secure
container
• Make a forensic copy of the evidence
• Return the evidence to the secure container
• Process the copied evidence with computer
forensics tools
Planning Your Investigation

• An evidence custody form helps you document step by step of what was done
with the original evidence and its forensics copies
• Also called a chain-of-evidence form
• Two types
• Single-evidence form
• Lists each piece of evidence on a separate page
• Multi-evidence form
Securing Your Evidence
• Use evidence bags to secure and catalog the evidence
• Use computer safe products when collecting computer evidence
• Antistatic bags
• Antistatic pads
• Use well padded containers
• Use evidence tape to seal all openings
• CD drive bays
• Insertion slots for power supply electrical cords and USB cables
• Write your initials on tape to prove that evidence has not been tampered with
• Consider computer specific temperature and humidity ranges
• Make sure that the temperature is suitable when transporting the evidence.
Taking a Systematic
Approach
Steps for problem solving
• Make an initial assessment about the type of
case you are investigating
• Determine a preliminary design or approach
to the case
• Create a detailed checklist
• Determine the resources you need
• Obtain and copy an evidence drive
• Identify the risks
• Mitigate or minimize the risks
• Test the design
• Analyze and recover the digital evidence
• Investigate the data you recover
• Complete the case report
• Critique the case
Assessing the Case

• Systematically outline the case details

• Situation
• Nature of the case
• Specifics of the case
• Type of evidence
• Known disk format
• Location of evidence
• Based on these details, you can determine
the case requirements
Employee Termination Cases

• Most of the investigative work for termination cases in which employee abuse
of corporate assets
• Incidents that create a hostile work environment are the predominant types of
cases investigated
• Viewing pornography in the workplace
• Sending inappropriate e-mails
• Organizations must have appropriate policies in place
Interviews and Interrogations in High-Tech
Investigations

• Becoming a skilled interviewer and interrogator can take many years of experience
• Interviews are conducted to gather evidence or information from the suspects.
• Interrogation
• Process of trying to get a suspect to confess
• Digital Investigator is responsible for writing down the questions to ask for the investigator.
• Tips for a successful interview or interrogation
• Being patient throughout the session
• Repeating or rephrasing questions to zero in on specific facts from a reluctant witness or suspect
• Being tenacious
Understanding Data Recovery
Workstations and Software

• Investigations are conducted on a computer forensics lab (or data-recovery lab)

• In data recovery, the customer or your company just wants the data back
• Computer forensics workstation is a specifically configure computer which has
additional slots and forensic tools,
• To avoid altering the evidence, write blockers are used. These help investigator by
disabling any data write to drives during boot process.
Conducting an Investigation

• Gather resources identified in investigation plan

• Items needed
• Original storage media
• Evidence custody form
• Evidence container for the storage media
• Bit-stream imaging tool
• Forensic workstation to copy and examine your evidence
• Securable evidence locker, cabinet, or safe
Gathering the Evidence

• Avoid damaging the evidence

• Steps
• Meet the IT manager to interview him
• Fill out the evidence form, have the IT manager sign
• Store the evidence in a secure container
• Carry the evidence to the computer forensics lab
• Complete the evidence custody form
• Secure evidence by locking the container
Acquiring an Image of Evidence Media

• First rule of computer forensics

• Preserve the original evidence
• Conduct your analysis only on a copy of the data
• Several vendors provide MS-DOS, Linux, and Windows acquisition tools
• Windows tools require a write-blocking device when acquiring data from
FAT or NTFS file systems
Analyzing Your Digital Evidence

• Your job is to recover data from:

• Deleted files
• File fragments
• Complete files
• Deleted files linger on the disk until new data is saved on the same physical
location
• Tools can be used to retrieve deleted files
• Autopsy
Analyzing Your Digital Evidence

Steps to display the Data analysis can be

Steps to analyze a USB Steps to add source
contents of the Analyze the data most time-consuming
drive data
acquired data task
• Start Autopsy • Select data source • Click to expand • Search for
• Create a new case type Views, File Types, By information related
• Type the case name • Select image file Extension, and to the complaint
• Select the working • Keep the default Documents
folder settings in the • Select file to display
Configure Ingest • Click Tag and
Modules window Comment
• Click the New Tag
Name button
Analyzing Your Digital Evidence

• With Autopsy you can:

• Search for any keywords in the file and
display the results in results window
• Click each file in the search results window
and examine its content in the data area
• Export the data to any folder.
• Search for specific filenames
• Generate a report of your activities
• Additional features of Autopsy
• Display binary (nonprintable) data in the
Content Viewer
Analyzing
Your Digital
Evidence
Completing the Case

Repeatable findings Report should show

• Repeat the steps and produce conclusive evidence
You need to produce a Include Autopsy report the same result If required, use a report • Suspect did or did not commit a
final report to document your work template crime or violate a company
policy

Keep a written journal of Answer the six Ws: Autopsy Report

everything you do • Who, what, when, where, why, You must also explain Generator
• Your notes can be used in court and how computer and network • Can generate reports in
processes different styles: plain text,
HTML and Excel
Autopsy (https://www.sleuthkit.org/autopsy/ ) OSForensics (https://www.osforensics.com/index.html )

WinHex (https://www.x-ways.net/winhex/ ) FTK Imager Lite (https://accessdata.com/product-

download/ftk-imager-lite-version-3.1.1 )
Summary

• Digital forensics involves systematically accumulating and analyzing digital

information for use as evidence in civil, criminal, and administrative cases
• Investigators need specialized workstations to examine digital evidence
• Public-sector and private-sector investigations differ; public-sector typically
require search warrants before seizing digital evidence
Summary

• Always use a systematic approach to your investigations

• Always plan a case considering the nature of the case, case requirements, and
gathering evidence techniques
• Both criminal cases and corporate-policy violations can go to court
• Plan for contingencies for any problems you might encounter
• Keep track of the chain of custody of your evidence
Summary

• Internet abuse investigations require examining server log data

• For attorney-client privilege cases, all written communication should remain
confidential
• A bit-stream copy is a bit-by-bit duplicate of the original disk
• Always maintain a journal to keep notes on exactly what you did
• You should always critique your own work
References

• Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to Computer Forensics and
Investigations (6/e). Boston, MA. Course Technology
• Brooks, C. L. (2014). CHFI Computer Hacking Forensic Investigator
Certification All-in-One Exam Guide. McGraw-Hill Publisher.